CoinGate Privacy Policy

Version applicable as of February 7th 2022

1. Why should I read this Privacy Policy?

   This Privacy Policy (‘policy’) describes how CoinGate (CoinGate is owned and operated by UAB “Decentralized”) (hereinafter referred to as the “Company”, “we”, “us”, “our”) collects, uses, discloses, and stores your personal information and what statutory rights do you have. We protect your personal information under the applicable data protection laws. We may amend this policy unilaterally from time to time. Any such amendments will be effective immediately upon publication, therefore please visit our website regularly for the latest version of this policy.

2. Who is responsible for protecting my information?

   We are: CoinGate (owned and operated by UAB “Decentralized”)
   Our company number is: 303423510
   Our address: A. Goštauto g. 8-331, LT-01108 Vilnius
   Our e-mail address: info@coingate.com

3. Why and how do you use my information?

   3.1 To provide you with virtual currency purchasing, payment processing collection and related services

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you are our client, manager, or representative of a legal entity or shopper	E-mail address, password, country, IP address, name and surname, gender, place of birth, address, telephone number, cryptocurrency address, bank account number, account number of money withdrawal platform, PayPal address, transaction amount, transaction currency, transaction time, address of the sender of the transaction, address of the payee of the transaction, power of attorney, data provided in the business registration certificate, data provided in the document of business address proof, requests for overpayments, Facebook ID information, Google ID information, other information provided by you	Contract (Art. 6 (1) (b) of GDPR)	From yourself	It is a contractual requirement. If you do not provide this information, we will not be able to provide our services	10 years after termination of your account

   3.2 To provide you with virtual currency swap services

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you use our virtual currency swap services without undergoing a verification (identification) process	Email address, country, IP address, types of swapped virtual currencies, cryptocurrency address, transaction amount, device fingerprint, telephone number	Contract (Art. 6 (1) (b) of GDPR)	From yourself	It is a contractual requirement. If you do not provide this information, we will not be able to provide our services	10 years after the use of our currency swap services

   3.3 To enable you to exchange your virtual currencies into various gift cards

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you exchange your virtual currencies into gift cards of various vendors and platforms	First name, last name, email address, country, IP address, cryptocurrency address, transaction amount, type and amount of gift card, email of the person to whom you send the gift card	Contract (Art. 6 (1) (b) of GDPR)	From yourself	It is a contractual requirement. If you do not provide this information, we will not be able to provide our services	10 years after the exchange of your virtual currency to a gift card

   3.4 To verify you when necessary

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you use our virtual currency purchasing, payment processing collection services, or when you use our virtual currency swap services and make a transaction larger than 1 000 EUR or a transaction that raises suspicion	Country of residence, name and surname, gender, place of birth, date of birth, nationality, address, telephone number, ID number, personal code, ID expiry date, ID copy, photo of you	Contract (Art. 6 (1) (b) of GDPR)	From yourself	It is a contractual requirement. If you do not provide this information, we will not be able to provide our services	10 years after termination of your account

   3.5 To implement measures of anti-money laundering (AML) and counter-terrorist financing (CTF)

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When establishing a business relationship with us (when you are a customer (natural person), company’s manager or a representative)	Name and surname, ID information (such as number, date of issuance, period of validity), date of birth, sex, no personal number (true/false), personal number, personal number type, document number, date of expiry, document type, issuing country, citizenship or citizenships, nationalities, place of birth, address, city, postal code, country of residence, annual income, are transactions over 15 000 EUR expected? (yes/no). source of funds, source of wealth, expected yearly turnover using our services, used services, countries from which funds will be incoming, account opening purposes, geolocation data, information on the company’s director and representative (name, surname, ID, date of birth, sex, no personal number (true/false), personal number, personal number type, document number, date of expiry, document type, the country that has issued an identity document, citizenship, nationalities, place of birth, address, city, postal code, country of residence, sanctions, current position, email), information on the ultimate beneficial owner (name, surname, sex, personal number, date of birth, place of birth, address, citizenship, nationality, country, website (reputable third-party source), amount of shares, stake in the main company.	Legal obligation (Art. 6 (1) (c) of GDPR) Art. 9, ,11, 12, 16 of the Law on AML	From yourself, AML/CTF service providers	It is a statutory requirement. If you do not provide this information, we will not be able to provide our services	For the duration of and 8 years after the termination of the business relationship
   	Information on participation in politics - whether you (trader) are a politically exposed person (PEP), whether the beneficial owner of the company, their immediate family member, or a close associate is a PEP, and information on the beneficial owner’s prominent public functions	Reasons of substantial public interest (Art. 9 (2) (g) of GDPR) Art. 14 of the Law on AML

   3.6 To ensure security of and improve our website

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you use our website	Internet protocol address (IP), user agent, referrer url, date and time of website visiting	Legitimate interest (security and improvement of our website) (Art. 6 (1) (f) of GDPR)	From yourself	No	10 years after your last visit of our website

   3.7 To provide you with customer support

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you submit an inquiry to our customer support	E-mail address, subject of your inquiry, date of your inquiry, content of your inquiry, attachments to your inquiry, your name and (or) surname provided in your inquiry, reply to your inquiry, information provided by you	Consent (Art. 6 (1) (a) of GDPR)	From yourself	No	10 years after the receipt of the last inquiry

   3.8 To inform you about our services that may be relevant to you

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When we want to inform you or ask your opinion about our services	Name and surname, e-mail	Consent (Art. 6 (1) (a) of GDPR) (Art. 69 (1) of Lithuanian Law on Electronic Communications) Customer relationship (Art. 69 (2) of Lithuanian Law on Electronic Communications) Legitimate interest (to send direct marketing communications) (Art. 6 (1) (f) of GDPR)	From yourself Social media service providers Marketing service providers	No	10 years after the last use of our services or after you give your consent unless you withdraw your consent earlier

   3.9 To manage our social media profiles

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my data?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   If you interact with our social media profiles (e.g., send a message, follow our profiles, share a post, react to a post)	Name and surname indicated in your profile, e-mail address, gender, country, picture, message, time, and date the message was received, content of the message, message attachments, response to the message, time of response to the message, information about our rating, comments on a post, post shares, information about post reactions	Consent (Art. 6 (1) (a) of GDPR)	From yourself and social media platforms	You are not statutorily or contractually obliged to provide this personal data, but we will collect this data if you interact with our social media profiles	10 years from the moment you interact with our social media profiles

   3.10 To carry out the selection of potential employees

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When we receive your application for a job position, when you give us your consent for storing your CV, or we contact you based on the information you publicly disclose on professional social media platforms	Full name, e-mail, phone number, CV, work experience, other information you provide us with	Consent (Art. 6 (1) (f) of GDPR) Contract (Art. 6 (1) (b) of GFPR) Legitimate interest (to contact you when you publicly disclose your information on professional social media platforms) (Art. 6 (1) (f) of GDPR)	From yourself Professional social media service providers HR agencies	It is a requirement necessary to enter into a contract only where we intend to enter into an employment contract with you. If you do not provide this information, we will not be able to enter into an employment contract with you.	3 years after the end of the relevant recruitment process 5 years after you give us your consent or publicly disclose your information on professional social media platforms

   3.11 To fulfill statutory accounting requirements

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   When you use our services	Full name, e-mail address, telephone number, bank account number, address, signature, invoices, reports, accounting documents, payments, paid amounts, other information we are statutorily required to collect	Legal obligation (Art. 6 (1) (c) of GDPR) aw on Accounting of the Republic of Lithuania	From yourself	It is a statutory requirement. If you do not provide this information, you will not be able to buy goods or services from us	10 years following a transaction

   3.12 To defend our rights and interests

   When is this relevant for me?	What information do you collect about me?	What is your legal basis to collect my information?	Where do you collect the information from?	Am I obliged to provide this information?	How long do you store information about me?
   In case we become a party to legal process which you are subject to or we are statutorily required to collect information about you	All of the afore-mentioned information, accounting and legal case files, legal documents, other information you provide us with, other information that we are statutorily required to collect and/or provide	Legal obligation (Art. 6 (1) (c) of GDPR) Legitimate interest (to protect our rights and interests) (Art. 6 (1) (f) of GDPR).	From afore-mentioned sources, law enforcement authorities, parties that are subject to legal process, courts	Yes, where we are statutorily obliged to collect personal information	10 years following the end of the contractual relationship with us or, whichever is longer, for the duration of the legal process and 3 years after a final authority decision came into full force
   	If the case arises - information about criminal offenses and convictions	Establishment, exercise, or defense of legal claims (Art. 9 (2) (f) of GDPR)

4. Who do you share my data with?

   We share your data with data recipients, both within and outside the European Economic Area (EEA), in cases where necessary for the above-described purposes and allowed in accordance with applicable laws.

   No	Category of information recipient	Information recipient	Country of the recipient	What is the legal basis to transfer my data outside the EEA?
   4.1.	AML and identification service providers	Onfido Ltd.	UK	Decision on the adequate protection of personal data by the United Kingdom (link)
   		Elliptic Enterprises Ltd.	UK
   		Other service providers	Worldwide	EU Standard Contractual Clauses for the transfer of data as approved by the European Commission (link) (further - EU Standard Contractual Clauses)
   4.2.	Banking, payment processing, crypto exchange and other financial service providers	UAB “IBS Lithuania”	Lithuania (EU)	N/A
   		UAB "Nexpay"	Lithuania (EU)	N/A
   		UAB "Binance"	Lithuania (EU)	N/A
   		Bitstamp Ltd.	UK	Decision on the adequate protection of personal data by the United Kingdom (link)
   		Other service providers	Worldwide	EU Standard Contractual Clauses (link)
   4.3.	Software service providers	Microsoft Corporation	US	Microsoft Standard Contractual Clauses (link)
   		Other software service providers	Worldwide	EU Standard Contractual Clauses (link)
   4.4.	Communication tools service providers	Skype Communications S.a r.l.	Luxembourg (EU)	N/A
   		Slack Technologies, LLC	US	Slack Technologies Standard Contractual Clauses (link)
   		Other service providers	Worldwide	EU Standard Contractual Clauses (link)
   4.5.	Social media service providers	Facebook Ireland Ltd.	Ireland (EU)	N/A
   		Reddit Ireland Ltd.	Ireland (EU)	N/A
   		Twitter Inc.	US	EU Standard Contractual Clauses (link)
   		Other service providers	Worldwide	EU Standard Contractual Clauses (link)
   4.6.	Customer support service providers	Zendesk, Inc.	US	Zendesk Standard Contractual Clauses (link)
   4.7.	Cloud hosting service providers	Amazon Web Services, Inc.	US	Amazon Standard Contractual Clauses (link)
   		Google LLC.	US	Google Standard Contractual Clauses (link)
   		Other service providers	Worldwide	EU Standard Contractual Clauses (link)
   4.8.	Marketing service providers	Calendly LLC	US	EU Standard Contractual Clauses which are incorporated by reference to the Calendly Data Processing Addendum (link)
   		Other service providers	Worldwide	EU Standard Contractual Clauses (link)
   4.9.	Compliance and legal service providers	Other service providers	EU countries and UK	Decision on the adequate protection of personal data by the United Kingdom (link)
   4.10.	State institutions and regulatory authorities	Bank of Lithuania, State Tax Inspectorate, Financial Crime Investigation Service, Center of Registers, State Security Department of Lithuania, law enforcement authorities and courts, other state authorities	Worldwide	The necessity to establish, exercise or defend legal claims (Art. 49(1)(e) of the GDPR)

5. What statutory rights do I have regarding my data?

   Subject to conditions, limitations, and exceptions established by statutory data protection provisions, you have the rights listed below:

   My right	When is this right applicable to me?
   Right of access	When you seek to obtain confirmation as to whether we collect or otherwise process personal data concerning you, and, where that is the case, access to the personal data and the information about the data processing.
   Right to rectification	When you seek to obtain from us the rectification of inaccurate personal data concerning you.
   Right to erasure (‘right to be forgotten”)	When personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; When you withdraw consent on which the processing is based and there is no other legal ground for the processing; When you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes; Where the personal data have been unlawfully processed; Where the personal data have to be erased for compliance with a legal obligation; Where the personal data have been collected in relation to the offer of information society services directly to a child and subject to a consent.
   Right to restriction of processing	Where the accuracy of the personal data is contested by you; Where the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; Where we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; Where you have objected to processing.
   Right to data portability	Where you seek to receive the data you have provided in a structured, commonly used and machine-readable form or to transmit those data to another controller, the processing is based on consent or on a contract and is carried out by automated means.
   Right to object	Where the collection and use is based on a task carried out in the public interest or in the exercise of official authority vested or legitimate interest, including profiling, as explained in Section 3 of this Privacy Policy, or where you object to the collection of your personal data for direct marketing purposes.
   Right to withdraw consent	Where the processing is based on consent, as explained in Section 3 of this Privacy Policy, and you seek to withdraw it at any time.
   Right to lodge a complaint	Where you want to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR.

6. Do you engage in automated individual decision-making, including profiling?

   We perform profiling only for AML regulations’ compliance purposes and to protect our platform from money laundering and terrorist financing. Without AML profiling we will not be able to provide you with our services. We create an AML risk profile after you fill in the “Know Your Customer” (KYC) questionnaire and then we continue to monitor the unexpected changes in your transactional behavior within our platform. AML profiling does not affect your use of our platform if there is no suspicious activity in your account.

7. Does your website place cookies on my device?

   Yes, our website places the following cookies on your device:

   Cookie category	Cookie name	Cookie expiry
   Necessary	_GRECAPTCHA	179 days
   	rc::a	Persistent
   	rc::b	During the browsing session
   	rc::c	During the browsing session
   	test_cookie	1 day
   	_zlcmid	365 days
   Preferences	Lang	During the browsing session
   	trade_options	365 days
   	trade_values	1 hour
   	gc_user_s	1 year
   	last_item	1 year
   Statistics	_ga	2 years
   	_hjAbsoluteSessionInProgress	1 day
   	_gat	1 day
   	_gid	1 day
   	_hjFirstSeen	1 day
   	_hjIncludedInSessionSample	1 day
   	AnalyticsSyncHistory	29 days
   	collect	Session
   	personalization_id	2 years
   	px.gif	Session
   	_fbp	3 months
   	sc	365 days
   	sentryid	365 days
   	TSNGUID	365 days
   	_hjSession	1 day
   	device_id_	365 days
   	_hjSessionUser_	1 year
   	first_acquisition	1 year
   Marketing	/ad/#/pixel	Session
   	_gcl_au	3 months
   	ads/ga-audiences	Session
   	bcookie	2 years
   	bscookie	2 years
   	IDE	1 year
   	lang	Session
   	lidc	1 day
   	pagead/1p-user-list/#	During the browsing session
   	pagead/landing	Session
   	Tr	Session
   	uaid	30 years
   	UserMatchHistory	29 days
   	nQ_cookieId	1 year
   	nQ_userVisitId	1 day
   Unclassified	simplex-logo.png	Session

8. How can I manage cookies?

   You can configure your browser to decline some or all cookies or to ask for your permission before accepting them. Please note that by deleting cookies or disabling future cookies you may be unable to access certain areas or features of our website. You can control the use of functionality cookies, targeting cookies or advertising cookies by adjusting your browser settings. To find out how to manage cookies in your browser, please visit one of the links below:

   • Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
   • Google Chrome: https://support.google.com/chrome/answer/95647
   • Opera: https://www.opera.com/help/tutorials/security/privacy
   • Microsoft Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
   • Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-information-sfri11471/mac

9. How can I contact your data protection officers?

   If you have any questions, comments, or complaints regarding how we collect, use, and store your personal information, our data protection officers are ready to help you. If you need their help, you may contact them at any time via dpo@coingate.com.